Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers.
Limited to specific tools
Additional assets for this skill
This skill is limited to using the following tools:
name: fnox-providers description: Use when configuring Fnox providers for encryption and secret storage. Covers age encryption, cloud providers (AWS, Azure, GCP), and password managers. allowed-tools:
Configuring encryption and secret storage providers in Fnox for secure secrets management.
Fnox supports three categories of providers:
# Generate age key pair
age-keygen -o ~/.config/fnox/keys/identity.txt
# Get public key
cat ~/.config/fnox/keys/identity.txt | grep "public key"
# age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p
# fnox.toml (committed)
[providers.age]
type = "age"
public_keys = ["age1ql3z7hjy54pw3hyww5ayyfg7zqgvc7w3j2elw8zmrj2kg5sfn9aqmcac8p"]
# fnox.local.toml (gitignored)
[providers.age]
identity = "~/.config/fnox/keys/identity.txt"
# Set encrypted secret
fnox set DATABASE_PASSWORD
# Prompts for value, encrypts with age public key
# Set from command
echo "secret-value" | fnox set API_KEY --provider age
# Multiple recipients for team access
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Alice
"age1qw4r...", # Bob
"age1qx5t...", # CI/CD
]
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Optional: profile = "production"
# Reference AWS secret
fnox set DATABASE_URL --provider aws-sm
# Enter: prod/database-url (AWS secret name)
[secrets]
DATABASE_URL = {
provider = "aws-sm",
value = "prod/database-url",
description = "Production database connection string"
}
API_KEY = {
provider = "aws-sm",
value = "prod/api-key"
}
[providers.kms]
type = "aws-kms"
key_id = "arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012"
region = "us-east-1"
# Encrypt with KMS
fnox set SECRET_KEY --provider kms
[providers.azure]
type = "azure-kv"
vault_url = "https://my-vault.vault.azure.net"
# Authentication via Azure CLI or environment variables
[secrets]
DATABASE_PASSWORD = {
provider = "azure",
value = "database-password",
description = "Azure Key Vault secret name"
}
[providers.gcp]
type = "gcp-sm"
project_id = "my-project"
# Authentication via gcloud or service account
[secrets]
API_KEY = {
provider = "gcp",
value = "projects/my-project/secrets/api-key/versions/latest"
}
[providers.vault]
type = "vault"
address = "https://vault.example.com"
token = { env = "VAULT_TOKEN" } # From environment
[secrets]
DATABASE_URL = {
provider = "vault",
value = "secret/data/prod/database-url"
}
[providers.onepassword]
type = "1password"
# Requires 1Password CLI (op) installed
[secrets]
API_KEY = {
provider = "onepassword",
value = "op://Production/API Keys/api-key"
}
DATABASE_PASSWORD = {
provider = "onepassword",
value = "op://Production/Database/password"
}
[providers.bitwarden]
type = "bitwarden"
# Requires Bitwarden CLI (bw) installed and unlocked
[secrets]
STRIPE_KEY = {
provider = "bitwarden",
value = "item-id/field-name"
}
# Test specific provider
fnox provider test age
fnox provider test aws-sm
# List configured providers
fnox provider list
# Add provider interactively
fnox provider add
# Remove provider
fnox provider remove age
# Development: age (simple, local encryption)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Production: Cloud secret manager
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Team collaboration: 1Password or Bitwarden
[providers.onepassword]
type = "1password"
# Different providers for different secrets
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
# Development secrets with age
DEV_API_KEY = { provider = "age", value = "age[...]" }
# Production secrets with AWS
PROD_DATABASE_URL = { provider = "aws-sm", value = "prod/db-url" }
# Name providers descriptively
[providers.prod-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.staging-secrets]
type = "aws-sm"
region = "us-west-2"
[secrets]
DATABASE_URL = { provider = "prod-secrets", value = "prod/db" }
# fnox.toml (development)
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
[secrets]
DATABASE_URL = { provider = "age", value = "age[...]" }
# fnox.production.toml
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
[secrets]
DATABASE_URL = { provider = "aws-sm", value = "prod/database-url" }
[providers.us-secrets]
type = "aws-sm"
region = "us-east-1"
[providers.eu-secrets]
type = "aws-sm"
region = "eu-west-1"
[secrets]
US_API_ENDPOINT = { provider = "us-secrets", value = "us/api-endpoint" }
EU_API_ENDPOINT = { provider = "eu-secrets", value = "eu/api-endpoint" }
# Development secrets: age encryption
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Shared team secrets: 1Password
[providers.team]
type = "1password"
# Production secrets: AWS
[providers.prod]
type = "aws-sm"
region = "us-east-1"
[secrets]
DEV_DATABASE_URL = { provider = "age", value = "age[...]" }
TEAM_SLACK_WEBHOOK = { provider = "team", value = "op://Team/Slack/webhook" }
PROD_DATABASE_URL = { provider = "prod", value = "prod/db-url" }
# Bad: Hardcoded credentials
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
access_key_id = "AKIAIOSFODNN7EXAMPLE" # NEVER DO THIS
secret_access_key = "wJalrXUtnFEMI/..." # NEVER DO THIS
# Good: Use AWS credentials chain
[providers.aws-sm]
type = "aws-sm"
region = "us-east-1"
# Credentials from ~/.aws/credentials or environment
# Bad: Too many providers for simple project
[providers.age]
type = "age"
[providers.aws-sm]
type = "aws-sm"
[providers.azure]
type = "azure-kv"
[providers.gcp]
type = "gcp-sm"
# Good: Choose one appropriate provider
[providers.age]
type = "age"
public_keys = ["age1ql3z..."]
# Bad: Private key in config
[providers.age]
identity = "AGE-SECRET-KEY-..." # NEVER COMMIT THIS
# Good: Reference external file
[providers.age]
identity = "~/.config/fnox/keys/identity.txt" # Gitignored
[providers.age]
type = "age"
public_keys = [
"age1ql3z...", # Team member 1
"age1qw4r...", # Team member 2
"age1qx5t...", # CI/CD system
]
[providers.shared-secrets]
type = "aws-sm"
region = "us-east-1"
role_arn = "arn:aws:iam::123456789012:role/CrossAccountSecretsRole"
[providers.vault-prod]
type = "vault"
address = "https://vault.example.com"
namespace = "production"
token = { env = "VAULT_TOKEN" }